Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 765352 (CVE-2020-35459, CVE-2021-3020)

Summary: sys-cluster/crmsh: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: trivial CC: cluster, lukasz, pinkbyte, vovan
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2021/01/12/3
Whiteboard: ~1 [ebuild?]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-13 22:19:32 UTC 
CVE-2020-35459 (http://www.openwall.com/lists/oss-security/2021/01/12/3):

An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges.


Maintainers, I can't find a patch applied to crmsh in Git, so please confirm
if a newer release fixes this issue. There's also a patch at URL which might
work if not.
Comment 1 Ultrabug gentoo-dev 2021-02-08 09:26:46 UTC 
I dropped the older versions, only 4.2.1 is left in tree !

Thanks
Comment 2 Ultrabug gentoo-dev 2021-02-08 09:29:18 UTC 
hmm on a second read, it seems that "through" 4.2.1 means that it's also affected right?

There's no higher release yet.
Comment 3 Zdravko Spoljar 2021-02-10 02:31:37 UTC 
 # crm node status        
Fatal error:
    No module named 'parallax'


in version 4.2.1. ?
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:24:32 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:33:03 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:40:53 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:49:04 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:04:59 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:13:17 UTC 
Package list is empty or all packages have requested keywords.
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 18:07:34 UTC 
Patches in 4.3.1:

https://github.com/ClusterLabs/crmsh/commit/7f6f8d5b05ba160c3902f7b2ddcbd66de64da207
https://github.com/ClusterLabs/crmsh/commit/c538024b8ebd138dc373b005189471d9b77e9c82

These also reference CVE-2021-3020, which is only marked as reserved. The corresponding SUSE bug is also private.
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-26 15:50:51 UTC 
CVE-2021-3020:
https://github.com/ClusterLabs/crmsh/commit/c538024b8ebd138dc373b005189471d9b77e9c82

An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) through 2.3.0-15. It ships the binary hawk_invoke (built from tools/hawk_invoke.c), intended to be used as a setuid program. This allows the hacluster user to invoke certain commands as root (with an attempt to limit this to safe combinations). This user is able to execute an interactive "shell" that isn't limited to the commands specified in hawk_invoke, allowing escalation to root.

I'm not sure how crmsh relates to this.
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-28 03:59:17 UTC 
Sergey, since you reversed the mask, could you offer any commentary on this security bug? If these issues aren't solved, we may as well last rite this for its security problems.
Comment 13 Sergey Popov gentoo-dev 2022-11-29 07:39:01 UTC 
(In reply to John Helmert III from comment #12)
> Sergey, since you reversed the mask, could you offer any commentary on this
> security bug? If these issues aren't solved, we may as well last rite this
> for its security problems.

Older versions of crmsh ships hardcoded values for autoconfigure root ssh keys and execute commands at root level. Newer versions can do this for supplied user, instead of root.

This is definitely fixed in 4.3.1

I am working on version bump(to 4.4.0), but it requires some time, because my test lab is not perfect in terms of speed :-/